Forum Discussion

Sam_12987's avatar
Sam_12987
Icon for Nimbostratus rankNimbostratus
Apr 04, 2008

SSL off load and Npath

I am planning to test SSL off load and N-Path for multiple data centers where all the https request are redirected using policy based routing to Bigip

 

 

Request

 

Server Https <-- Datacenter n <--SSL Server side Bigip SSL client side <-- core Router <-- network <-- Client

 

 

Response

 

Server https --> Datacenter n -> Core Router --> network --> client

 

config
design
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Apr 04, 2008
    I don't think this will work because the client has negotiated a secure session with the BIG-IP, not the server. Even if the server responds from the "same" IP via nPath and with the same certificate, the SSL session ID would be different and the client probably wouldn't know what to make of that.

     

     

    I'm not sure what this would buy you anyway unless you are streaming large files over SSL back to the client.

     

     

    Denny
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Apr 04, 2008
    I did a small test of it and as Denny mentions this won't work. What is it you are trying to accomplish?
  • Sam_12987's avatar
    Sam_12987
    Icon for Nimbostratus rankNimbostratus
    Apr 05, 2008
    I am designing this for IBM ISS which currently dose not have SSL termination capabilities and hence they are trying to use BIGIP's for SSL offload in N-Path as they want to have all the https requests only to pass via BIGIP --> ISS --> BIGIP. Without Npath this works fine but the design uses cisco's PBR to forward only for requests.

     

     

    Thanks for the clarifying my doubt

     

     

    Sameer